ISO/IEC 27037

ISO/IEC 27037:2012 – Information technology — Security techniques — Guidelines on identifying, gathering, acquiring, and preserving digital evidence

Introduction

Digital forensic evidence is defined as “digital data that can be used as evidence in court” and this standard defines how to identify, collect, acquire, handle, protect, and preserve this evidence.

The ISO27k digital forensics standards are aimed at promoting good practise methods and processes for forensically capturing and investigating digital evidence. There may be differences in the methods, processes, and controls employed by individual investigators, organizations and jurisdictions, over time standardization is expected to result in similar, if not the same, approaches internationally, allowing comparisons, even if performed by different individuals or organizations in different jurisdictions.

In forensic investigations, ensuring the integrity of evidence is imperative when it comes to acquiring and preserving evidence. In the same way that conventional physical evidence is important, it is also crucial for the first and subsequent responders (referred to as “Digital Evidence First Responders” and “Digital Evidence Specialists”) to follow structured procedures designed to ensure that all digital forensic evidence is collected and secured officially. A process must do more than just ensure integrity; it must guarantee nothing harmful has taken place. To accomplish this, there must be a defined baseline level of information security controls met or exceeded.

Digital forensic evidence can come from any type of electronic storage or communications device, such as a cellphone, a computer, an iPod, a video gaming console, etc. By its very nature, digital forensic evidence is fragile, and can easily be damaged or tampered with accidentally or deliberately.

There were no globally accepted standards on acquiring digital evidence before ISO/IEC 27037 was released. The police have created guidelines for acquiring, protecting, and preserving electronic evidence. Having said that, when transnational crimes are committed, it can be difficult to present the forensic evidence obtained in one country in another. The evidence that was obtained or protected without requisite security may be technically inadmissible.

Scope and objectives

Specifically, the standard provides detailed guidance on how to identify, collect and/or acquire, mark, store, transport, and preserve electronic evidence to preserve its integrity. Defining and describing the processes used for recognizing and identifying evidence, documenting the crime scene, gathering and preserving evidence, and packaging and transporting evidence.

Rather than covering vehicle systems, cloud computing, etc., the focus is on ‘traditional’ IT systems and media. Guidelines are primarily aimed at first responders.

The legislative systems of each country are unique. Some crimes may not even be considered crimes in another jurisdiction. It is challenging to synchronize processes across international borders to prosecute cybercriminals to the full degree. As a result, it is important to establish a means of exchanging and utilizing reliable evidence (for instance, a digital evidence management standard).

“Digital evidence”, which refers to information gathered from digital devices to be presented in court, varies across different jurisdictions. By avoiding the use of jurisdiction-specific terminology, the standard will have the broadest possible applicability. It does not cover analysis of digital evidence or the weight, relevance, admissibility of digital evidence. Additionally, no specific tools or methods will be required.

Structure and content

1 Scope
2 Normative reference
3 Definitions of terms
4 Abbreviated terms
5 Overview
6 Main elements of identification, collection, acquisition and preservation of digital evidence
7 Instances of identification, collection, acquisition and preservation

Annexe A: Description of first responder skills and competencies relating to digital evidence

Annexe B: Documents required for evidence transfer

Bibliography

The standard’s status

Publication of the standard was in 2012 and confirmation was in 2018.

Standards relevant to the topic

The standard pertains to the initial capture of digital evidence.

As part of ISO/IEC 27041, guidance is offered on assurance issues in digital forensics, such as ensuring that the right tools and methods are being used.

As a result, ISO/IEC 27042 addresses what happens after digital evidence has been obtained, namely, its interpretation and analysis.

Forensics are typically conducted within the context of the wider incident investigation activities covered by ISO/IEC 27043.

The ISO/IEC 27050 standard (in four parts) deals with electronic discovery, which is pretty much the same as the other standards.

British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” is also worth looking at.

Commentary

While they appear to cover different facets of forensics, SC 27 is creating several distinct forensics standards, which are complementary elements of the same process. In my opinion, a multipart standard would be better, including a section explaining how the various pieces fit together.